Secunia PSI 2.0 Identifies and Installs Application Updates

Secunia PSI 2.0 adds the ability to auto-update third-party applications such as Flash or Java in order to avoid in-the-wild exploits and threats that antivirus software might miss.

PSI 2.0 offers critical enhancements to Secunia's free
application vulnerability assessment tool, adding remediation and update
capabilities on top of the old notification engine.
Secunia PSI has been an important part of my security toolkit for several
years, providing a single stop for me to check whether all the applications
installed on my Windows 7, Vista, or XP PCs are fully patched and up to date.
It does this via an easy-to-understand posture assessment score based on the
detected system status. Keeping both the OS and applications up to date is
among the best ways to avoid exploit and attack, particularly against threats
not yet detected by complementary antimalware programs.

PSI (Personal Software Inspector) 2.0 eases many of the qualms I've had about
the product, finally fixing Windows rights issues and the reliance on third-party
plug-ins for full operation. It's also added promising auto-update capabilities
that could let users disable many of the different auto-update engines covertly
installed in Windows desktops by many ISVs.

PSI 2.0 is available as a free download for personal use only from http://www.secunia.com. Corporate customers
interested in similar, enterprise-oriented capabilities with central management
can look into Secunia's for-pay CSI (Corporate Software Inspector). Of course, PSI
could also be a useful tool for enterprise users to use to protect any home
systems used to access corporate resources.

Secunia finally extended PSI's always-on benefit to computers for which the
primary user does not run with local administrator rights by default. This
makes the software more feasible to use consistently on locked-down desktops.
Previous versions of PSI required administrative rights in order to run,
which keeps the application from running automatically in restrictive use
cases.

To address this shortcoming, the core PSI functionality now spans over four
distinct processes. A pair of new services-the PSI Agent and the Update Agent-auto-start
at boot with system privileges, while a revamped system tray applet runs as the
logged-in user. In this way, PSI 2.0 can auto-start at system boot no matter
what rights the interactive user has. It further has the ability to conduct
weekly scans and continuous monitoring of the installed application set, to
alert when state changes are detected, and to silently perform updates in the
background without requiring user interaction.

The only component that requires the user to input administrator credentials is
the slimmed-down PSI.exe, which is now the sole management interface used to
change PSI behavior or to perform manual updates or posture assessments.

PSI 2.0 uses its new privilege model to good effect, delivering new auto-update
capabilities for some third-party applications. Behind the scenes, PSI 2.0 can
download and silently install patches to commonly installed applications from
Adobe (Air, Reader, Flash), Mozilla (Firefox), and Google (Picasa), as well as
Oracle's Java and FileZilla.

When set to auto-update, I found PSI 2.0 could recognize the presence of an out-of-date
application, say Firefox 3.6.12, then automatically download and install the
update to 3.6.13. However, there are limitations to the auto-update engine.
Since the data used to determine whether the application is out of date is
based on Secunia's application vulnerability reports, PSI might not perform updates
that deliver feature updates that don't include security patches. So, using the same
example, I found that PSI would not automatically update Firefox 3.5.16 to
3.6.13.

Users may also set PSI to require manual approval before performing updates,
and I found that the Scan Results page hinted at several different kinds of
update scenarios when used in this manner. PSI won't update the Windows OS
directly, but users, instead, see a link to Microsoft update. On the other
hand, third-party applications supported for automatic updates require the user
only to click the upgrade link on the Scan Results page for silent download and
update. To update slightly less supported applications-Apple QuickTime, for
instance-users will find only a download link to obtain an installer package
directly from the ISV for manual
installation.

In my tests, however, I found those download links might not provide the best
path to an up-to-date application. In one test case, for instance, I found that
PSI would not link to the most current version of the application in question.
PSI easily found an old copy of QuickTime on Windows XP to be way out-of-date,
offering an upgrade link to version 7.68.75.0. After performing that upgrade
manually, PSI then informed me that QuickTime needed another update, this time
to 7.69.80.9.

However, I did like the protections afforded through PSI's linking process to
third-party patches. In my tests, I found that PSI would perform hash checks to
ensure the downloaded files matched expectations.

The Scan Results page looks much different than in previous versions, as the
entire application set now is shown on a single screen, with end-of-life and
insecure applications migrated to the top for easy recognition. In previous
versions, PSI broke the computer's application set into three distinct screens,
(for end-of-life, up-to-date, and insecure applications), making the user click
around to identify the state of everything.

The new System Tray icon is now more useful, as well. While in past versions,
the system tray icon solely indicated that PSI was active, in the new version
the icon changes color to reflect the overall security posture of the computer.
If more than 10 percent of installed applications require updates, the icon
shows red, while a fully patched system delivers a green icon.

The new Dashboard looks similar to the old version, displaying the aggregate
posture assessment score and last scan date, as well as the auto-update status
and history items, particular to 2.0. PSI 2.0 also shows trending graphs for
the posture-assessment score over the last five weeks and a line chart showing
the total number of security patches released over the last 6 months applicable
to the PC's installed application set.

I was also gratified to find that PSI 2.0 no longer requires the Adobe Flash
ActiveX plug-in to display the graphical trending data, a requirement I found quite
annoying in the previous PSI iterations.

Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for eWEEK.com, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at agarcia@eweek.com.